Hello!
first of all, thanks again to everybody who helped, both on and off-list!
Right now, the original SSL problems seem all gone, and after turning
off ipv6 even gmail started to accept my email. Now I can connect with
mutt from home, access mailboxes over imaps, send email using ssl/tls
to any domain I have been able to try.
To get there, I had as I said to turn off ipv6, as shown in postconf
-n output below. Honestly, I have no idea if and what exactly I am
missing by not using ipv6, thanks in advance to whoever steps in to
explain.
In any case, I can say that the configuration below seems to be a
decent solution so far for running postfix 2.10 on Centos, for a small
number of users and domains, and without running any rdbms.
Next step is to figure out which between rainloop and roundcube is a
better/easier/safer webmail to set up.
General comments and/or tips on how to harden this, with stronger
ciphers or other stuff, are very welcome. Ditto for pointers to online
services to test if anything is OK wrt dkim, spf, dns, blacklists,
greylisting... (I DO know some of them, but not sure if they are the
most efficient). If anybody feels like receiving one email from that
server, just to confirm to me that everything is fine, please let me
know.
Thanks, and off to dinner and bed now...
Marco
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = $myhostname
myhostname = a.mx.example.com
mynetworks = 127.0.0.0/8, myhomeipaddress
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
procmail_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
relay_domains =
sample_directory = /etc/postfix
sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_address_preference = ipv4
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = check_client_access
cidr:/etc/postfix/client_checks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_helo_access hash:/etc/postfix/reject_own_helo,
check_policy_service unix:postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/archive/example.com/fullchain1.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/letsencrypt/archive/example.com/privkey1.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/mymail_storage
virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
virtual_transport = procmail
virtual_uid_maps = static:1001
################################################################
postconf -Mf:
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
procmail unix - n n - - pipe
flags=D user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
EXTENSION=${extension} /usr/local/etc/procmailrc.common
